In analyzing a protocol that secures information, one must pose several questions. How secure is the protocol? What elements of the protocol can fail? Finding the weak link in the chain of intellectual property rights encoding helps to improve the protocol and further the aims of security.
Intellectual property rights encoding partakes of both identity and dissemination models of information protection--clients and servers exchange the details of the identity of the PICS labels through the dissemination method of encrypted channels. Because documents will be distributed through a secure protocol which extends the details of Netscape's SSL, the intellectual property of rights-encoded information will likely be as secure as information transferred through traditional SSL. Rights-aware servers will not exchange sensitive information because extended-SSL connections terminate for poor exchanges. As such, should the handshake between client and server result in a miscommunication, no part of a rights-encoded document should pass between the parties.
While the dissemination component remains secure, difficulties of rights encoding will likely arise from protocol details concerning the identity components of securing information. Andrew Daviel's proposition for rights, in particular, suggests the possibility of errors in processing rights. For example, should a document allow the right of printing but disallow saving, users could "save" copies of through the printing of a printer-ready file. The flexibility of three distinct levels of rights offers additional areas of concern. Because Daviel provides for a conditional allowance of specific rights, user agent developers may need to consider the possibilities of these conditions.
In considering Daviel's suggestions, conditional allowance or intellectual property rights makes no mention of specific conditions and provisions for implementation, simply dictating the generation of a message to the user. What manner of conditions would a content developer place upon the intellectual property rights of information? One possibility would be location--content developers may wish to allow only specific users at a given range of IP addresses to access and copy information. Authors could specify, for example, conditions for printing books or stories to a given publishing company's network only, or a musician could provide the conditional allowance for saving pages to band-mates only.
While allowing conditions may increase the flexibility of rights encoding, the possibilities of abuse or misappropriation also increase. The lack of specific details regarding the conditional allowances for rights suggests further research prior to implementation would serve to ensure protection--a simplification of rights levels to allow vs. disallow offers both greater security and the opportunity to pursue that research.
Another concern in using encryption for information security is its application. Despite wide opposition, the government regulates the export of strong cryptography, such as the encryption technology used in SSL. Web clients that implement cryptography are "covered by the Defense Trade Regulations . . . it remains a crime to distribute cryptographic software outside the Unites States without an export license" (Garfinkel 371-372). Despite recent changes to policy, the relative current impact of encrypted rights encoding will likely limit foreign access to secured information.
When considering the impact of providing intellectual property rights information with web documents, one area of note is the software and hardware that interact with the user agent. When providing user agents with rights-aware capabilities, content developers must account for possible security concerns with the software and hardware on a user's system. Of particular interest are operating systems, user interfaces, and printing hardware. In addition, content developers should take note of software such as search engines and caching proxies and the impact of rights-aware content upon them--such services may greatly affect the degree to which users access their content.
The operating system and user interface may present one particular pitfall to client-agent rights over content. While a rights-aware user agent may control whether or not a user may print or save content, the user interface frequently manages the provisions for cut-and-paste. Within a command-line shell, for example, a given user may choose to run a text-based browser such as Lynx--when the user agent displays the requested content, the user interface may allow cut-and-paste from the command-line, determining the content to be from the shell, not from the browser. As such, to provide true security of content, operating systems and user interfaces should offer provisions for the management of secure content. With provisions for rights-encoded content, augmented operating systems could allow content developers to disseminate information without the fear of misappropriation.
One possible augmentation to the protection of content could involve the development of rights-aware hardware. Manufacturers such as Hewlett Packard or Lexmark, for example, could provide the capability for their printer products to recognize intellectual property information on printed documents. Should a user agent access a protected document, such built-in capabilities on a printer device could prevent the printing of the content should the user agent protection fail.
Additionally, manufacturers could develop other peripherals that implement or augment the intellectual property protections on content. Modems or network devices could recognize and mark rights-encoded content when transmitting information between machines. In addition, storage devices and output devices, like printers, could prevent the saving and output of protected content, respectively. Pager and cellular devices with the capability of receiving web-based information, a relatively recent advent in web browsing, could protect content through rights-aware firmware. When coding software interfaces to devices, operating system developers and hardware developers could provide specialized device drivers for the processing of rights-enabled content.
Encoding intellectual property information on pages eliminates the effectiveness of search engines and robots over the Web. Unfortunately, given the encryption requirements, pages available through SSL are seldom indexed by robots. As such, rights-protected content would not reach the widest possible audience. To provide indexing for such pages, the authors of robots and indexing agents would likely need to undertake the troublesome task of coding SSL capabilities into their software. Robot authors would accordingly need to agree to abide by the provisions of the document rights encoded upon given pages.
One significant benefit of rights encoding, however, is the possibility of the copyright-enabled content to be cacheable. Because the intellectual property information resides either on the document itself or on a directly associated document, caching proxy software such as Squid (Squid 1), if made rights aware, could deliver such content without excessive bandwidth. Such provisions may, in fact, reduce the apprehension many developers hold for Web caching systems.
Proxies, however, may also offer troublesome capabilities--the means by which parties can filter the transmissions between server and user agent. While effective tools for filtering content over the web, filtering proxies like Muffin (Boyns 1) may also present the ability to filter certain content out from the transmission. Through employing such a proxy, a party could effectively delete references to intellectual property rights on content. To combat the dangers of applying filtering proxies to rights-enabled content, developers of proxy software may wish to consider additional rights-aware protections to avoid misappropriation. Like developers of robot software, authors of filtering proxies should agree to abide by the document rights provisions of documents.
Posing a similar problem, mirroring software such as WebWhacker (Blue 1) behaves much like indexing robots. Unlike caches and software indexers, however, software like WebWhacker provides the means to directly appropriate or misappropriate web-based information. Through recursive requests over the links in HTML documents, mirroring software can obtain all the information contained upon a site. Current mirroring software will fail to appropriately access rights-encoded documents delivered through the secure channels. Future enhancements to current software, however, may provide the means for parties to misappropriate and modify information. Accordingly, authors developing mirroring software for use with rights-encoded documents should agree to abide by the conventions of this protocol.
Because of the use of digital certificates, certification authorities will play a key role in the implementation of this protocol. A certification authority such as Verisign would allow "individuals with no prior relationship to establish each other's identity and engage in legal transaction" (Garfinkel 114) through the issuance of certificates to a particular individuals or organizations. The certification authority thus provides the needed infrastructure for proper authentication of a rights-aware browser. This protocol dictates the need for a new class of digital certificate--the user agent certificate. Through such a certificate, developers of browsers and robots can establish the virtual identity and more importantly, the capabilities of their software to web servers.
To ensure the security of user agent software, software developers should provide the browser to the authority for certification. The appropriate authority would then review the product, determining the degree to which the software implements intellectual property security protocols. Following such a review process, the certification authority would then issue a user agent certificate to be coded into the software. Major software revisions should undergo repeated review for a new digital certificate.
An similar authority could provide another boon for intellectual property protection--an authority that would govern the application and implementation of intellectual property rights in the digital arena. Serving similarly to the United States Patent and Trademark Office, or the World Intellectual Property Organization, such an authority would help implement intellectual property protection standards, as well as shape the policy of users and organizations.
The HTML 4.0 Specification describes a link as "a connection from one Web resource to another" (W3C, Links 1). Because secure rights encoding governs the control of quotation of information, connecting information from one resource to another, integrating rights encoding with the processing of HTML can offer added functionality to content developers.
The HTML 4.0 Specification offers the BLOCKQUOTE and Q elements to markup quotations. In addition, the attribute cite of both BLOCKQUOTE and Q allows authors the means to provide a URL linking to the source document (W3C, Text 1). For responsible web authors, the provision of a citation to the source document allows web users to obtain further information. Should a content developer decide to rescind the right to quote from his source document, the existing BLOCKQUOTE or Q would still remain accessible on the page. Rights-aware web client software, however, could process the cite attribute and determine the encoded disposition of source document to quotation.